Vulnerability in Public Malware Sandbox Analysis Systems

The use of Public Malware Sandbox Analysis Systems (public MSASs) which receives online submissions of possibly malicious executables from an arbitrary user, analyzes their behavior by executing them in a testing environment (i.e., a sandbox), and sends analysis reports back to the user, have increased in popularity. In such systems, the sandbox for analysis is often connected to the Internet as modern malware communicate with remote hosts for various reasons, such as receiving command and control (C&C) messages and files for updates. However, connecting the sandbox to these hosts involves a risk that the analysis activities may be detected and disturbed by the attackers who control them. In this paper, we discuss the issue of sandbox detection in the case of public MSASs. Namely, we point out that the IP address of an Internet-connected sandbox can be easily disclosed by an attacker who submits a decoy sample dedicated to this purpose. The disclosed address can then be shared among attackers, blacklisted, and used against the analysis system, for example, to conceal potential malicious behavior of malware. We have termed such an attack Decoy Sample Injection (DSI). We conducted a case study with nine existing public MSASs and found that six utilized Internet-connected sandboxes with very few IP addresses and were therefore vulnerable to DSI. In addition, it was revealed that certain background analysis activities of these systems can be revealed by the attack. Finally, we discuss the mitigation of DSI by dynamic IP address acquisition.